Do You Need a Data Representative in the EU for GDPR Compliance?
By now, one of the things best known about the GDPR is that it applies to data controllers and processors based both within and outside of the EU.
In addition to meeting the general compliance standards, controllers and processors outside the EU also need to take a few extra steps to make themselves more available to regulatory authorities. One of these steps is the need to appoint a Data Representative.
A Data Representative is not a Data Protection Officer (DPO). It is a distinct role with its own responsibilities. So, if you already have a DPO, you're not off the hook.
- 1. What is an EU Data Representative?
- 2. Who Needs an EU Data Representative?
- 3. Who Can Be Your EU Data Representative?
- 4. Where Should Your EU Data Representative Be Located?
- 5. How to Appoint an EU Data Representative
- 6. What's the Difference Between an EU Data Representative and a Data Protection Officer (DPO)?
- 6.1. Can a DPO Fulfill the EU Representative Role?
- 7. How to Share Your EU Data Representative's Details
What is an EU Data Representative, and when do you need one? We'll explain.
What is an EU Data Representative?
The GDPR covers the Data Representative issue in Article 27.
According to Article 27(3), the Data Representative is:
- Nominated by the controller or processor to be addressed in addition to the controller or processor (by EU regulatory bodies)
- Established in a member state where you process personal data (or monitor behavior)
They can be a natural or legal person based in the EU, whom the EU or relevant GDPR supervisory authorities can contact for any issue related to your data processing.
However, it is also possible that the role will evolve into one provided by corporate or legal services based in the EU. This evolution already seems to be the case.
The GDPR Data Representative performs several functions beyond being the named point of contact for European regulators. If called upon, they also:
- Act on your behalf with supervisory authorities
- Help you meet Article 30 requirements (record of processing activities (ROPA))
- Make records available to supervisory authorities
- Provide you with updates, amendments, and new readings of the GDPR rules as they apply to your business
However, the GDPR doesn't explicitly assign any major responsibilities to the EU Representative. As a result, you may hire a Data Representative without ever requiring much from them (usually as long as you comply with the regulations).
Who Needs an EU Data Representative?
You need an EU Data Representative if you process large amounts of data from EU data subjects or if you process special categories of data and you don't have an office in the EU.
Your EU Representative is like your public face in the EU. It easier for international bodies to get in touch with someone based in the EU/EEA than it is to request contact with a business elsewhere. So, in addition to your Representative providing you with timely updates about EU law, the regulatory authorities can also bring proceedings against the Representative for breaches you committed.
Article 27 applies to controllers and processors whose GDPR compliance is mandated by Article 3(2), which says:
"This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- The monitoring of their behaviour as far as their behaviour takes place within the Union"
However, Article 27(2) provides an exception for processors outside the Union whose processing:
- Is occasional
- Does not include large scale processing
- Does not include special data categories (described in Article 9(1))
- Is unlikely to present risks to "rights and freedoms" of EU data subjects
It also doesn't apply to a public body.
So what does this mean in practice?
In other words, if you are a big retailer without an EU office but you regularly serve customers located in the EU, then you need an EU Representative. For example, Macy's, the department store, ships to the EU and courts EU customers. It needs an EU Representative.
If you're a mom-and-pop shop with an e-commerce store and the occasional EU customer (one every few months), then Article 27(2) allows you to skip the Data Representative requirement. You simply don't process enough data or present enough risk to EU data subjects to qualify.
However, if you have a steady revenue stream from the EU, you process special types of data or you intend to expand your business, you should nominate one, even if only to be extra safe.
Who Can Be Your EU Data Representative?
Your Data Representative can be a natural or legal person (like an attorney or specialist) located in the EU member state where you process the most data. It is very likely that you will see law firms and privacy expert solutions pop up to fulfill this role. Why? Because Recital 80 of the GDPR says that:
"The designated EU Representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor."
Your Data Representative can get in trouble themselves if you violate the GDPR requirements.
Why would the EU bring a case against them? It is difficult to bring lawsuits against parties located outside the relevant state. Your Representative, then, is a means of reaching your company where national or international law won't. They have to appear in court even if you don't technically have to show up (thanks to international law).
As a result of the potential for enforcement proceedings, only those with expert working knowledge of the GDPR and adequate risk protection are likely to offer their services as Data Representatives. They will also need the resources to communicate in each of the EU's 24 languages because they can receive communications from virtually any EU supervisory body where you process data.
The GDPR says the controller and processor are always accountable, but it does seem that the regulator can implicate the Data Representative if they choose. This is also perhaps to ward off false EU Representatives offering services to processors and controllers abroad without adding any value or helping them uphold the law.
Regardless of the motivation behind the practice, the enforcement of this remains to be seen as cases appear. Like so many elements of the GDPR, the understanding of this recital is evolving and you can expect more clarity in the coming years.
Where Should Your EU Data Representative Be Located?
If you process data evenly across the EU, you can select which EU member state your Representative is located in.
In these cases, many firms may find the Republic of Ireland to be the simplest solution. It is already a large hub for international business. Plus, both the regulator and the EU Representatives speak and conduct business in English first.
The Netherlands is another good option as they are a base for many multi-national companies anyway and also provide legal and accounting services in English.
The UK is no longer a good option given its attempts to leave the EU: your EU Representative must be in a member state. So, if you choose a Representative in the UK, you may need to nominate a new one in the coming years.
However, if you process the bulk of your data in one country, then that's the place where you need to elect your EU Representative. For example, if most of your work happens in Poland, then you must choose Poland. This should not be a problem as you would theoretically have business ties to Poland anyway.
How to Appoint an EU Data Representative
If you need an EU Data Representative, the law says you must appoint them in writing.
Your EU Data Representative Appointment Letter must include:
- Your company name and address
- Your EU Representative's name and contact details
- A reference to the need to appoint one as a result of Article 27
Additionally, your contract should include the following details:
- Conditions of the appointment (pay, hours worked, termination notice, etc.)
- Clauses balancing liability
- Indemnity clause
- An NDA
These details protect your company from disclosures or mistakes made by your Representative.
Why is this letter so important? First, because the GDPR requires the nomination to occur "in writing." Second, because it serves as a written contract between your company and the Representative. The EU can use the contract to exercise its right to bring proceedings against your Representative in the event that it cannot reach you.
What's the Difference Between an EU Data Representative and a Data Protection Officer (DPO)?
As mentioned earlier, the Data Representative and the Data Protection Officer (DPO) are not the same role. They apply to different parties and they perform different functions.
In theory, the distinction is straightforward.
If you have an EU office and process either "large volumes" or "sensitive data" or you are a public body, then Article 37 requires you to appoint a Data Protection Officer. The rule applies to both companies inside the EU and outside the EU. A DPO can also be inside or outside the organization (an employee or a third party).
If you don't have a physical operating presence in the EU, then you must appoint an EU Representative. You may or may not also need a DPO. However, a Representative is a moot point for anyone with an EU base.
What's more, the DPO has distinct responsibilities that they must fulfill. These responsibilities include:
- Educating staff on compliance and GDPR responsibilities
- Monitoring data processing practices for compliance
- Performing compliance audits
- Cooperating with the relevant data protection authorities
- Receiving requests and correspondence from data subjects
- Keeping records of data processing activities and providing them upon request
The bottom line: a DPO is a critical part of an organization's GDPR compliance efforts and often a full-on job. They also assume a public-facing role and receive communications from data subjects.
Your GDPR EU Representative is just a go-between for you and the EU.
Can a DPO Fulfill the EU Representative Role?
In theory, they can. There is nothing in the law that prevents a DPO from also serving as an EU Data Representative. But there aren't any recitals that say you can do it either. And it isn't encouraged.
The Irish Data Protection Commissioner (DPC) has attempted to answer the question. It considers the dual role an option in limited cases. However, you still need to make sure that your DPO fulfill theirs original purpose and avoids anything that may present a conflict of interest.
Before you merge the two roles, know this: the Irish DPC also said that a conflict of interest would likely arise due to the DPO's need to communicate with data subjects.
So, you should nominate two different parties for both the DPO and the EU Representative to avoid trouble.
How to Share Your EU Data Representative's Details